AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[sandbox] Fix JSArrayBuffer serialization

Browse Source 
In case a JSArrayBuffer is empty but has an extension installed, the
previous code would not clear the extension prior to serialization. This
would then cause a DCHECK failure right after serialization when
restoring the extension pointer because we only allow changing from
nullptr to a non-null extension pointer.

Bug: chromium:1335043
Change-Id: I9276da0ebb7ecf0d22949c3d1294cfa90bad7a7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096479
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84798}
This commit is contained in:
Samuel Groß 2022-12-12 09:23:32 +00:00 committed by V8 LUCI CQ
parent d46662c084
commit f8ca14b769
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/snapshot/serializer.cc
View File

@ -571,11 +571,11 @@ void Serializer::ObjectSerializer::SerializeJSArrayBuffer() {
uint32_t ref =
SerializeBackingStore(backing_store, byte_length, max_byte_length);
buffer.SetBackingStoreRefForSerialization(ref);
// Ensure deterministic output by setting extension to null during
// serialization.
buffer.set_extension(nullptr);
}
// Ensure deterministic output by setting extension to null during
// serialization.
buffer.set_extension(nullptr);
}
SerializeObject();
{